https://community.cisco.com/t5/network-security/pat-limitation/m-p/2096916#M393758 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>So why dont you perform a destination Port-forwarding but in this case saying any packet being sourced from port 500 or 4500 look like 12.x.y.z??</P><P></P><P>Also what do you mean by a reply? are those packets going to start on the outside world or this devices will start the Isakmp connections?</P><P></P><P>Regards,</P></BODY></HTML> Mon, 24 Dec 2012 23:43:16 GMT Julio Carvajal 2012-12-24T23:43:16Z https://community.cisco.com/t5/network-security/pat-limitation/m-p/2096915#M393756 <P>Hi,</P><P></P><P>I'm pretty sure the answer to this is that only one-to-one NAT will do, but in case I've missed a trick, please let me know. I have several internal devices that need to use PAT (due to limited global ip addresses) as shown below where incoming tcp 2201 is translated to ssh and directed to the first device, tcp 2201 gets translated and directed the the 2nd device, and so on.</P><P></P><P>object network device1</P><P> host 10.1.10.35</P><P> nat (inside,outside) static 12.x.y.z service tcp 22 2201</P><P></P><P>object network device2</P><P> host 10.2.10.35</P><P> nat (inside,outside) static 12.x.y.z service tcp 22 2202</P><P></P><P>object network device3</P><P> host 10.3.10.35</P><P> nat (inside,outside) static 12.x.y.z service tcp 22 2203 </P><P></P><P>The vendor of these devices would like to see the return traffic, which is not ssh but udp 500 and udp 4500, egress the same address above 12.x.y.z</P><P></P><P>Is there a way to do that without one-to-one NAT?</P> Tue, 12 Mar 2019 00:40:49 GMT https://community.cisco.com/t5/network-security/pat-limitation/m-p/2096915#M393756 lcaruso 2019-03-12T00:40:49Z https://community.cisco.com/t5/network-security/pat-limitation/m-p/2096916#M393758 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>So why dont you perform a destination Port-forwarding but in this case saying any packet being sourced from port 500 or 4500 look like 12.x.y.z??</P><P></P><P>Also what do you mean by a reply? are those packets going to start on the outside world or this devices will start the Isakmp connections?</P><P></P><P>Regards,</P></BODY></HTML> Mon, 24 Dec 2012 23:43:16 GMT https://community.cisco.com/t5/network-security/pat-limitation/m-p/2096916#M393758 Julio Carvajal 2012-12-24T23:43:16Z https://community.cisco.com/t5/network-security/pat-limitation/m-p/2096917#M393760 <HTML><HEAD></HEAD><BODY><P>My example description is wrong, but maybe you picked up on that. </P><P></P><P>From the outside inbound...</P><P>tcp 2201 translates to ssh and is sent to device1</P><P>tcp 2202 ssh to device2</P><P>tcp 2203 ssh to device3</P><P></P><P>These devices accept ssh connections and then initiate a tunnel outbound with udp 500 and udp 4500. </P><P></P><P>Given the PAT config already in place, I'm not sure how to code your suggestion.</P><P></P><P>Can you give me an example?</P></BODY></HTML> Tue, 25 Dec 2012 01:40:50 GMT https://community.cisco.com/t5/network-security/pat-limitation/m-p/2096917#M393760 lcaruso 2012-12-25T01:40:50Z https://community.cisco.com/t5/network-security/pat-limitation/m-p/2096918#M393762 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>Well as the oubound connection will be in place because of the inbound connection as you said there is no way to make that happen </P><P></P><P>Sorry to tell you that my friend </P><P></P><P>Merry Christmas</P><P></P><P>Julio</P></BODY></HTML> Tue, 25 Dec 2012 02:09:40 GMT https://community.cisco.com/t5/network-security/pat-limitation/m-p/2096918#M393762 Julio Carvajal 2012-12-25T02:09:40Z